diff --git a/README.md b/README.md
index c8ac31c..5d1e679 100644
--- a/README.md
+++ b/README.md
@@ -12,44 +12,3 @@ Raspberry pi as soundcard
 - gadget mode
 - OTG g_audio
 - https://audiosciencereview.com/forum/index.php?threads/raspberry-pi-as-usb-to-i2s-adapter.8567/post-215824
-
-## systemd hardening
-[Unit]
-Description=TEST
-
-[Service]
-Type=oneshot
-ExecStart=/opt/test
-
-ProtectSystem=strict
-ProtectHome=yes
-PrivateTmp=yes
-PrivateDevices=yes
-PrivateNetwork=yes
-PrivateUsers=yes
-ProtectHostname=yes
-ProtectClock=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectKernelLogs=yes
-ProtectControlGroups=yes
-RestrictAddressFamilies=none
-RestrictFileSystems=ext4 tmpfs zfs
-RestrictNamespaces=yes
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictSUIDSGID=yes
-RemoveIPC=yes
-PrivateMounts=yes
-SystemCallFilter=
-SystemCallArchitectures=native
-CapabilityBoundingSet=
-
-ReadOnlyPaths=/
-
-NoExecPaths=/
-ExecPaths=/opt/test /bin/bash /lib
-
-[Install]
-WantedBy=multi-user.target
diff --git a/test.service b/test.service
new file mode 100644
index 0000000..763e9b8
--- /dev/null
+++ b/test.service
@@ -0,0 +1,40 @@
+[Unit]
+Description=TEST
+
+[Service]
+Type=oneshot
+ExecStart=/opt/test
+
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=none
+RestrictFileSystems=ext4 tmpfs zfs
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+PrivateMounts=yes
+SystemCallFilter=
+SystemCallArchitectures=native
+CapabilityBoundingSet=
+ProtectProc=invisible
+
+ReadOnlyPaths=/
+
+NoExecPaths=/
+ExecPaths=/opt/test /bin/bash /lib
+
+[Install]
+WantedBy=multi-user.target